The Hacker News — Cyber Security, Hacking, Technology News

WikiLeaks has today published the 15th batch of its ongoing Vault 7 leak, this time detailing two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH (Secure Shell) credentials from targeted Windows and Linux operating systems using different attack vectors.

Secure Shell or SSH is a cryptographic network protocol used for remote login to machines and servers securely over an unsecured network.

Gyrfalcon — Implant for Linux OS

Gyrfalcon is also capable of collecting full or partial OpenSSH session traffic, and stores stolen information in an encrypted file for later exfiltration.

"The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left running," the user manual of Gyrfalcon v1.0 reads.

"Sometime later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data."

The user manual for Gyrfalcon v2.0 says that the implant is consist of "two compiled binaries that should be uploaded to the target platform along with the encrypted configuration file."

"Gyrfalcon does not provide any communication services between the local operator computer and target platform. The operator must use a third-party application to upload these three files to the target platform."

Previous Vault 7 CIA Leaks

Last week, WikiLeaks dumped a classified CIA project that allowed the spying agency to hack and remotely spy on PCs running the Linux operating systems.

Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computer systems within an organization or enterprise without requiring any direct access.

Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for spying on the Internet activity of the targeted systems by exploiting flaws in WiFi devices.

Pandemic – The agency's project that let it turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.

Athena – A spyware framework that has been designed by CIA to take full control over the infected Windows machines remotely, and works against every version of Windows OS, from Windows XP to Windows 10.

AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor actions on the infected remote host computer and execute malicious actions.

Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).